supabase-automation

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes multiple examples that embed real-looking secrets verbatim (inline supabase secrets set commands, .env files with JWTs/passwords, DATABASE_URL with plaintext password, and example API keys like sk-.../sk_live_...), which would push an LLM to handle or reproduce secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's required MCP integration (explicit "MCP Connection URL" and the "Setup MCP Server" steps pointing to https://mcp.supabase.com/mcp in SKILL.md) instructs the agent to connect to a public Supabase MCP endpoint that exposes docs, account/database/debugging logs and storage (potentially user-generated) which the agent is expected to read and act on as part of workflows, so untrusted third‑party content could influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes runtime imports that fetch and execute remote code (e.g., Deno imports "https://deno.land/std@0.168.0/http/server.ts" and "https://esm.sh/@supabase/supabase-js@2") and configures an MCP endpoint ("https://mcp.supabase.com/mcp?project_ref=...") that injects model context into the agent at runtime, so these URLs provide external content that executes code or directly controls prompts.